$13 432 000 USD

MAY 2021

GLOBAL

EOS SX VAULT

DESCRIPTION OF EVENTS

"Vaults.sx is a yield aggregator where users can deposit EOS or USDT in return for interest-bearing SXEOS/SXUSDT tokens. The deposited tokens are then available in the flash.sx contract for flashloans and aggregate fees. Finally, SX tokens can be redeemed for a pro-rata share of the underlying funds + aggregated fees again."

 

"SX aims to build secure & reliable financial blockchain protocols for EOSIO blockchains." "SX Vaults follow interest yielding strategies that are designed to maximize the yield of the deposited asset and minimize risk."

 

"The vaults.sx and flash.sx smart contracts were open-source, MSIGed, and passed security audits, however the re-entry exploit was not identified."

 

"On May 14th, approximately 1.2M EOS and 462k USDT were stolen via a re-entry attack exploit from the smart contract of flash.sx, the flash loan service of SX Vault." "Approximately 1.2M EOS and 462,000 USDT was stolen in a re-entry attack exploit on the flash.sx flash loan smart contract that began on May 14 at 11:28 UTC."

 

"The vaults.sx contract on EOS mainnet has been exploited through a re-entrancy attack. 1,180,142.5653 EOS (~13M USD) and 461,796.8968 USDT were stolen making this the biggest hack on EOS."

 

"After a few hours, around 2:00 UTC, the Block Producers reached consensus, and through a Multi-Signature transaction they were able to change the owner and active permissions of all accounts created by the hacker in favor of the eosio.prods account."

 

"In this way they were able to regain control of all funds, which will soon be returned to depositors, without the need for a Hard Fork and creating a precedent to protect the intent of the smart contract also in favor of users."

 

"All of the funds are safe under control of eosio.prods and will be returned to depositors."

 

"Please let this letter serve as my resignation as CEO of EOS Nation effective immediately. I no longer feel as though I can do the best possible job for EOS Nation and the EOS public network and must resign my position." "Sincerely Yours, Yves La Rose"

 

On May 16 at "22:49 the thief publicly apologises and consents to nulling of keys." "Sorry for this incident, due to the lack of good communication, it caused unnecessary harm, I agree to bps to change my key , I ask for their forgiveness for those who have been hurt this time."

 

On May 17 at "10:32 executed 6/10 MSIG to remove the authority of the flash loan contract so that funds can be safely returned to flash.sx."

 

"To our knowledge, there has never been a prior circumstance in EOS where funds have been stolen due to an exploit of a smart contract that has been open-sourced, audited, and MSIGed. With the funds distributed across 246 accounts containing roughly 5000 EOS each, the funds were at risk of exiting the network via no-KYC exchanges at any moment."

 

"Failing to protect property rights in this instance could have had drastic consequences and result in a loss of faith in DeFi on EOS. As was the case with the Bitcoin rollback, the Ethereum DAO hack, and the HIVE fork, history has shown that the chain that protects property rights is the one that survives."

 

"With the consent of the account owner, we propose the block producers sign the MSIG to transfer all of the recovered funds back to the originating flash.sx account, under the authority of the current 6/10 custodians."

 

"Upon the retrieval of the funds, two historical snapshots will be published to easily identify SXEOS & SXUSDT token holders prior & after the event. Token holders with no change in their balance will be granted the posted value rate, token holders which have sold, withdrawn or moved their tokens will be reviewed on a case by case basis."

 

"Failing to protect property rights in this instance could have had drastic consequences and result in a loss of faith in DeFi on EOS. As was the case with the Bitcoin rollback, the Ethereum DAO hack, and the HIVE fork, history has shown that the chain that protects property rights is the one that survives."

The EOS SX Vault is one of the largest smart contracts on the EOS chain. A hacker was able to exploit this smart contract, and steal significant funds.

 

The negotiation was to offer the attacker $100k to return the funds, which he refused. Rather than find a way to liquidate them and bring them off-chain, he split them into a lot of smaller accounts.

 

However, EOS as a chain contains a mechanism that allows funds to be seized by a community consensus. This was undertaken through a vote of the block producers, where they agreed to revert the damage, and take back the funds from the hacker to be distributed.

 

Compromised funds were ultimately distributed back to affected users.

HOW COULD THIS HAVE BEEN PREVENTED?

In the end, it was a multi-signature agreement which returned the funds. This is similar to the recommendation to store funds in an offline multi-signature wallet.

 

Were the contract to simply have large fund withdrawals wait to be approved from an offline multi-signature wallet, this would act as a check to prevent large loss.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.